views:

39

answers:

2

While trying to learn the ADFS 2.0 environment, I created an empty ASP.NET Claims aware application to be the RP using Visual Studio 2010.

using ADFS 2.0 I did the following:

  1. Created a SAML 2.0 relying party using the 'Add Relying Party Trust...' wizard
  2. Created a SAML 2.0 Claim Provider using the 'Add Claims Provider Trust...' wizard

Now I did the following steps:

  • Pointed browser to http://localhost/adfs/IdpInitiatedSignOn.aspx
  • Selected the RP defined in step 1 from combo box as the site to sign in.
  • Selected in the next page the IDP defined in step 2 from combo box as the authenticating site.
  • Clicked 'Continue to Sign in'

The ADFS 2.0 now, redirects me to the URL configured for the IDP and a SAMLRequest is attached to the request. (which is great)

However, The SAML Request arrived to IDP does not contain any ACS URL (More techninally, there is no XML node of "AssertionConsumerServiceURL"),

Isn't ACS URL is mandatory attribute in SAML Request?

Thanks ! Yoash

A: 

If you are open to considering an alternate approach, the described use case could likely be enabled in a free Proof of Concept with SSO Easy's SAML product in about 1 hour, and be production ready in a few hours. No coding required, no SAML expertise required, with out of the box asp .net platform support/integration. This will save countless hours of effort.

Pricing starts as low as $1,000.

http://www.ssoeasy.com/home

rcarroll
A: 

Hi Yoash,

No, the ACS URL is not a mandatory attribute in a SAML 2.0 AuthnRequest. This information is typically exchanged in the meta-data when you setup the trust relationship between the IDP and SP. This simplifies the security check the IDP must do if the ACS URL or ACS Index is present (must be the same as the meta-data or AuthnRequest MUST be digitially signed).

We've done quite a bit of interop work with MS WIF/WCF Claims aware applications via our STS as well as SAML 2.0 with ADFSv2 if you'd like some more information.

Ian Barnett www.pingidentity.com

Ian
Thank you Ian and sorry for the delay in my response. Is it possible to force the ADFS 2.0 to send the ACS URL within the SAML request?
Joshua
I would suggest that you configure this in the IDP otherwise you'll need to sign the AuthnRequest (per the SAML spec) which adds a layer of complexity. Or, with PingFederate, it "just works" and you'd probably be done by now. ADFSv2 is notoriously complex and poorly documented. Just my $0.02.
Ian